Modern economies increasingly depend on a variety of devices that facilitate financial transactions, or the exchange of legal tender for goods or services or funds transfers. Prominent among these devices are credit cards, debit cards, and automated teller machines (ATMs), online banking, mobile banking and money transfer products which use such devices. These devices include numerical information such as an account number representing a user's credit, debit, prepaid or banking account, as well as textual information that may indicate, as an example, the identity of the user, the identity of the creditor or banker entity. Also included may be security code values or information used to reduce fraud. These values may also include forms of multi factor identification that a consumer or business uses to verify identity with the entity enabling the transaction, including but not limited to images, computer characteristics, user biological characteristics, IP addresses and computed values.
A problem with the above financial transaction devices is that their numerical and/or textual information may be compromised, that is, obtained by an unauthorized third party (i.e. fraudsters). Once the information is compromised, the third party may execute a number of unauthorized and highly damaging financial transactions, and often go undetected for a long period of time.
Mass compromise of account and identity information is a major fraud concern for financial institutions, processors, networks and merchants. Past methodologies of compromise detection have included taking collections of fraud account information to determine common links in the past transaction histories associated with the fraud accounts. However, detection of compromises that do not have easy-to-identify commonalities between account transactions, for example when a transaction network or data processing network is breached, or when access to information will not be part of the transaction stream used by the compromise detection system (for example debit cards and personal identification numbers, or “PINs,” compromised at a fake ATM, which is not on a transaction network), have not been adequately addressed. In these situations, other approaches are necessary to detect groupings of compromised accounts based on suspicious usage patterns.
Other types of compromises are much more difficult to detect. Network breaches may not be directly traced to a single ATM or merchant. In this situation, payment processors may be compromised, and subsequently, account and identity information is stolen in such a fashion that the accounts that are compromised may not have a natural common characteristic, such as same receiver/merchant/ATM to tie accounts together in a compromise cluster. Likewise, accounts are sometimes used as forms of identification, for example to retrieve a airline reservation, and their use in this fashion will not result in an authorization or posting that could be used in a system that relies on purchase authorizations/postings to link accounts to a common point of compromise. Further, when fake ATM or other devices or phishing attacks are set up to collect information, they are often not linked to the network, and it is impossible to determine from the accounts' transaction histories what accounts have been to a particular rogue device designed to collect account information. Also account providers prefer not to block and reissue large numbers of accounts every time a breach is identified. Account providers risk consumers turning away from using their payment instruments due to public perceptions of payment system security. Providing the accounts with the highest likelihood of compromise into a real time (or just in time) fraud detection system will allow account providers the flexibility of denying transactions at authorization based on their compromise risk score. This may reduce the need to close the account at all or institute a large block and reissue of accounts to account holders. At times the size of the breach may preclude account providers from performing a block and reissue at all. Particularly when other issuers are impacted similarly and there is not enough industry capacity to reissue all the accounts in a timely manner. The fraud and compromise location and type information can be shared with law enforcement and other entities to catch the perpetrators of the compromises and subsequent fraudulent transactions.